VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 78 of 512
  • CVE-2023-30839CriApr 25, 2023
    risk 0.57cvss 9.9epss 0.02

    PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this…

  • CVE-2022-4935HigApr 5, 2023
    risk 0.57cvss 8.8epss 0.01

    The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions…

  • CVE-2023-1471HigMar 17, 2023
    risk 0.57cvss 8.8epss 0.01

    The WP Popup Banners plugin for WordPress is vulnerable to SQL Injection via the 'banner_id' parameter in versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-24789HigMar 6, 2023
    risk 0.57cvss 8.8epss 0.01

    jeecg-boot v3.4.4 was discovered to contain an authenticated SQL injection vulnerability via the building block report component.

  • CVE-2023-25158CriFeb 21, 2023
    risk 0.57cvss 9.8epss 0.01

    GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters…

  • CVE-2022-38867HigFeb 15, 2023
    risk 0.57cvss 8.8epss 0.01

    SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, 4.0.2, and 4.4.x in api.go, allows attackers to execute arbitrary code.

  • CVE-2022-45090HigFeb 12, 2023
    risk 0.57cvss 8.8epss 0.01

    Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01.

  • CVE-2022-45089HigFeb 12, 2023
    risk 0.57cvss 8.8epss 0.01

    Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01.

  • CVE-2023-24163CriJan 31, 2023
    risk 0.57cvss 9.8epss 0.01

    SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine.

  • CVE-2020-22452CriJan 26, 2023
    risk 0.57cvss 9.8epss 0.02

    SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.

  • CVE-2022-47105CriJan 19, 2023
    risk 0.57cvss 9.8epss 0.01

    Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.

  • CVE-2023-22727CriJan 17, 2023
    risk 0.57cvss 9.8epss 0.01

    CakePHP is a development framework for PHP web apps. In affected versions the `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10.…

  • CVE-2022-3751CriNov 29, 2022
    risk 0.57cvss 9.8epss 0.01

    SQL Injection in GitHub repository owncast/owncast prior to 0.0.13.

  • CVE-2022-45207CriNov 25, 2022
    risk 0.57cvss 9.8epss 0.01

    Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString.

  • CVE-2022-45206CriNov 25, 2022
    risk 0.57cvss 9.8epss 0.01

    Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.

  • CVE-2022-38148HigNov 21, 2022
    risk 0.57cvss 8.8epss 0.01

    Silverstripe silverstripe/framework through 4.11 allows SQL Injection.

  • CVE-2022-4093CriNov 21, 2022
    risk 0.57cvss 9.8epss 0.04

    SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and…

  • CVE-2022-42120CriNov 15, 2022
    risk 0.57cvss 9.8epss 0.01

    A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.

  • CVE-2022-37333HigAug 24, 2022
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in the Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows remote authenticated attackers to execute…

  • CVE-2022-31181CriAug 1, 2022
    risk 0.57cvss 9.8epss 0.05

    PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised…